b'                    While Progress Has Been Made,\n                   Managers and Employees Are Still\n              Susceptible to Social Engineering Techniques\n\n                                    March 2005\n\n                       Reference Number: 2005-20-042\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                         WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                           March 15, 2005\n\n\n      MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n\n\n      FROM:                  Pamela J. Gardiner\n                             Deputy Inspector General for Audit\n\n      SUBJECT:               Final Audit Report \xe2\x80\x93 While Progress Has Been Made, Managers\n                             and Employees Are Still Susceptible to Social Engineering\n                             Techniques (Audit # 200420035)\n\n      This report presents the results of our review to evaluate the susceptibility of Internal\n      Revenue Service (IRS) employees to social engineering techniques for obtaining user\n      account and password information.\n      In summary, the IRS has successfully completed significant efforts in securing its\n      computer network perimeters from external cyber threats. Because hackers are unable\n      to gain access through these Internet gateways into the IRS, they are likely to seek\n      other ways to gain access to IRS systems and, ultimately, taxpayer data. One of the\n      most common tactics is to convince an organization\xe2\x80\x99s employees to reveal their\n      passwords. Along with user account names, passwords are needed to identify and\n      authenticate employees before allowing them access to systems and data.\n      The IRS has adequate computer security policies and procedures which require\n      employees to protect passwords on IRS computer systems. The IRS requires\n      managers and employees to acknowledge these rules when they are given access to a\n      system and annually thereafter. In addition, the rules are publicized on the Office of\n      Mission Assurance and Security Services (MA&SS) internal web site and during its\n      IRS-wide Computer Security Awareness Week. While these efforts are noteworthy, our\n      tests showed some managers and employees still do not understand the rudimentary\n      computer security practices of protecting their passwords.\n      We placed telephone calls to 100 managers and employees and posed as Information\n      Technology helpdesk personnel seeking assistance to correct a network problem.\n      Under this scenario, we asked the employees to provide their network login name and\n      temporarily change their password to one we suggested. We were able to convince\n      35 managers and employees to provide us their user account names and change their\n\x0c                                           2\n\npasswords. Using our test scenario, a hacker or disgruntled employee could obtain\nusernames and passwords to gain unauthorized access to the IRS systems.\nOur audit results represented about a 50 percent improvement over a similar test we\nconducted in August 2001; however, we believe additional security awareness and\nemphasis are needed to reinforce security responsibilities of IRS employees. For\nexample, the Chief, MA&SS, took aggressive and responsive measures to alert IRS\nemployees of the risks associated with social engineering after being advised of our\nresults. We recommended the Chief, MA&SS, continue security awareness efforts by\nperiodically reminding managers and employees of social engineering risks and\nproviding examples and scenarios that show how hackers can use social engineering\ntactics to gain access to IRS systems.\nManagement\xe2\x80\x99s Response: The Chief, MA&SS, concurred with our finding and\nrecommendation. The topic of social engineering will be incorporated into the IRS\nmandatory annual Online Security Awareness Training, which will include examples and\nscenarios of tactics used to gain access to IRS systems. In addition, the Information\nTechnology Security Program Office will issue periodic reminders in the form of an\nall-employee notice that will be included with employees\xe2\x80\x99 Earnings and Leave\nstatements and an article in the MA&SS newsletter. Management\xe2\x80\x99s complete response\nto the draft report is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendation. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\x0c                     While Progress Has Been Made, Managers and Employees\n                      Are Still Susceptible to Social Engineering Techniques\n\n\n\n\n                                                  Table of Contents\n\n\nBackground ................................................................................................ Page 1\nEmployees Were Persuaded to Provide Their\nNetwork Usernames and Change Their Passwords................................... Page 2\n         Recommendation 1: .........................................................................Page 4\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology........................ Page 5\nAppendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 6\nAppendix III \xe2\x80\x93 Report Distribution List ........................................................ Page 7\nAppendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ..................... Page 8\n\x0c             While Progress Has Been Made, Managers and Employees\n              Are Still Susceptible to Social Engineering Techniques\n\n                              The Internal Revenue Service (IRS) annually processes over\nBackground\n                              222 million tax returns which are converted into electronic\n                              records on various IRS systems. This information is\n                              protected by law and considered sensitive. Maintaining this\n                              type of information could make the IRS a target for\n                              computer hackers.\n                              In recent years, the IRS has successfully completed\n                              significant efforts in securing its computer network\n                              perimeters from external cyber threats. Because hackers are\n                              unable to gain access through these Internet gateways into\n                              the IRS, they are likely to seek other ways to gain access to\n                              IRS systems and, ultimately, taxpayer data.\n                              One such method is social engineering, which involves\n                              exploiting the human aspect of computer security for the\n                              purpose of gaining insider information about an\n                              organization\xe2\x80\x99s computer resources. One of the most\n                              common tactics is to convince an organization\xe2\x80\x99s employees\n                              to reveal their passwords. Along with user account names,\n                              passwords are needed to identify and authenticate\n                              employees before allowing them access to systems and data.\n                              In August 2001, with the assistance of a contractor, we\n                              conducted social engineering tests on IRS employees as part\n                              of our penetration testing efforts. We placed calls to\n                              100 IRS employees, asking them to change their password\n                              to one we suggested, and found 71 employees were willing\n                              to accommodate our requests.1\n                              This review was conducted from our office in\n                              Walnut Creek, California, in December 2004. The audit\n                              was conducted in accordance with Government Auditing\n                              Standards. Detailed information on our audit objective,\n                              scope, and methodology is presented in Appendix I. Major\n                              contributors to the report are listed in Appendix II.\n\n\n\n\n                              1\n                               Management Advisory Report: Network Penetration Study of Internal\n                              Revenue Service Systems (Reference Number 2002-20-057, dated\n                              March 2002).\n                                                                                         Page 1\n\x0c               While Progress Has Been Made, Managers and Employees\n                Are Still Susceptible to Social Engineering Techniques\n\n                                The IRS has adequate password policies and procedures.\nEmployees Were Persuaded to\n                                Managers and employees are not to share their passwords\nProvide Their Network\n                                with others or reveal them to anyone, regardless of his or\nUsernames and Change Their\n                                her position in or outside the IRS, and are not to accept\nPasswords\n                                passwords that are not delivered in a sealed envelope.\n                                Password protection allows the IRS to maintain its\n                                need to know restriction to IRS computer resources and\n                                taxpayer data.\n                                To support password security awareness, the IRS requires\n                                all managers and employees to acknowledge these rules\n                                prior to obtaining access to any IRS system. Managers and\n                                employees must also recertify annually that they are aware\n                                of their security responsibilities.\n                                In addition, the Office of Mission Assurance and Security\n                                Services (MA&SS)2 has posted these requirements on its\n                                internal web site, created a monthly security newsletter\n                                entitled the \xe2\x80\x9cSecurity Sentinel,\xe2\x80\x9d which contains significant\n                                information on computer security, and established an\n                                IRS-wide Computer Security Awareness Week, which was\n                                held from November 29 to December 3, 2004.\n                                While these awareness efforts are notable, some managers\n                                and employees are still susceptible to social engineering\n                                techniques. Similar to our tests in 2001, we placed\n                                telephone calls to 100 IRS employees, including managers.\n                                We posed as Information Technology (IT) helpdesk\n                                personnel who were seeking assistance to correct a network\n                                problem. Under this scenario, we asked employees to\n                                provide their network logon name and temporarily change\n                                their password to one we suggested.\n                                We were able to convince 35 managers and employees to\n                                provide us their username and to change their password.\n                                While our results represented about a 50 percent\n                                improvement over the previous test conducted in 2001\n                                (see Figure 1), the noncompliance rate suggests additional\n                                emphasis or awareness is needed.\n\n\n\n                                2\n                                 The mission of this office is to ensure the IRS has policies, plans, and\n                                procedures in place that will support the continuation of the IRS\xe2\x80\x99\n                                business processes under all circumstances and the protection of its\n                                employees and other assets (i.e., revenue, data, and facilities).\n                                                                                                  Page 2\n\x0cWhile Progress Has Been Made, Managers and Employees\n Are Still Susceptible to Social Engineering Techniques\n\n                     Figure 1: Percentage of IRS Employees Willing to Change\n                                            Passwords\n\n\n                             100%\n\n                              80%\n\n                              60%\n\n                              40%\n\n                              20%\n\n                                0%\n                                       Augus t      Dece m be r\n                                        2001          2004\n\n\n                 Source: Treasury Inspector General for Tax Administration (TIGTA)\n                 reviews conducted in 2001 and 2004.\n\n                 With an employee\xe2\x80\x99s user account name and password, a\n                 hacker could gain access to that employee\xe2\x80\x99s access\n                 privileges, though the IRS\xe2\x80\x99 strong systemic perimeter\n                 controls lessen this risk. Even more significant, a\n                 disgruntled employee could use the same social engineering\n                 tactics and obtain another employee\xe2\x80\x99s username and\n                 password. With some knowledge of IRS systems and\n                 applications, this disgruntled employee could more easily\n                 gain unauthorized access to IRS data as well as damage\n                 information on IRS systems.\n                 The 35 managers and employees who were willing to\n                 change their password gave several reasons why they were\n                 willing to accommodate our request.\n                     \xe2\x80\xa2   They were not aware of social engineering tactics as\n                         well as the security requirements to protect their\n                         passwords.\n                     \xe2\x80\xa2   They were willing to assist in any way possible once\n                         we identified ourselves as the IT helpdesk.\n                     \xe2\x80\xa2   They were having network problems and the call\n                         seemed legitimate.\n                     \xe2\x80\xa2   Although they questioned the caller\xe2\x80\x99s identity and\n                         could not locate the caller\xe2\x80\x99s name, which was\n                         fictitious, on the IRS\xe2\x80\x99 global email address book,\n                         they changed their password anyway.\n\n                                                                             Page 3\n\x0cWhile Progress Has Been Made, Managers and Employees\n Are Still Susceptible to Social Engineering Techniques\n\n                     \xe2\x80\xa2   They were hesitant, but their managers gave them\n                         approval to assist us.\n                 Once informed this exercise was a TIGTA test, some\n                 managers and employees admitted they knew they were not\n                 supposed to share their password with anyone but did so\n                 anyway. During and after the test calls, employees\n                 contacted the Audit Manager who was supervising the test\n                 as well as the IRS Computer Security Incident Response\n                 Center (CSIRC) to verify the calls were part of a TIGTA\n                 test.\n                 Within 2 days after completing our test, the Chief, MA&SS,\n                 issued an all-employee email alert about possible social\n                 engineering telephone calls and notified employees to\n                 immediately contact the CSIRC if they received these types\n                 of calls. One week after completing our calls, the Chief,\n                 MA&SS, provided employees more in-depth information on\n                 social engineering as part of the weekly all-employee \xe2\x80\x9cIRS\n                 Headlines\xe2\x80\x9d email. These actions illustrate aggressive,\n                 responsive measures to our efforts.\n\n                 Recommendation\n\n                 The Chief, MA&SS, should:\n                 1. Enhance security awareness efforts by periodically\n                    reminding managers and employees of social\n                    engineering risks and providing examples and scenarios\n                    that show how hackers can use social engineering tactics\n                    to gain access to IRS systems.\n                 Management\xe2\x80\x99s Response: The Chief, MA&SS, concurred\n                 with our recommendation and has incorporated the topic of\n                 social engineering into the IRS mandatory annual Online\n                 Security Awareness Training, which includes examples and\n                 scenarios of tactics used to gain access to IRS systems. In\n                 addition, the IT Security Program Office will issue periodic\n                 reminders in the form of an all-employee notice that will be\n                 included with the employees\xe2\x80\x99 Earnings and Leave\n                 statements and an article in the MA&SS newsletter.\n\n\n\n\n                                                                       Page 4\n\x0c                 While Progress Has Been Made, Managers and Employees\n                  Are Still Susceptible to Social Engineering Techniques\n\n                                                                                     Appendix I\n\n\n                      Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to evaluate the susceptibility of Internal Revenue\nService (IRS) employees to social engineering techniques for obtaining user account and\npassword information. To accomplish this objective, we:\nI.     Evaluated the adequacy of IRS security policies and procedures that have been\n       established to guide IRS employees in recognizing and handling social engineering\n       techniques.\n       A.      Identified IRS policies, procedures, and guidelines on password security.\n       B.      Researched Federal Government guidelines and industry standards/guidance on\n               social engineering techniques and defenses.\nII.    Conducted telephone calls to IRS employees posing as an Information Technology\n       helpdesk employee.\n       A.      Developed a scenario for social engineering tactics using telephone calls. We\n               decided to use a scenario similar to the one used during our previous test\n               conducted, with the assistance of a contractor, in 2001.\n       B.      Judgmentally selected a sample of 100 IRS employees from a population of\n               68,083 employees who were outside the Information Technology Services and the\n               Mission Assurance and Security Services organizations and had network access,\n               as of November 2004. The sample of 100 employees was based on ensuring\n               consistency with the previous test conducted in 2001 and allowing completion of\n               the calls within a 1- to 2-day period with the available staffing.\n       C.      Prior to our calls, notified the Deputy Commissioner for Operations Support of\n               our test and requested assistance in conducting this test spontaneously, so we\n               could obtain a true gauge of employees\xe2\x80\x99 understanding of password security.\n       D.      Executed the telephone calls and documented the results of the review.\n\n\n\n\n                                                                                              Page 5\n\x0c                While Progress Has Been Made, Managers and Employees\n                 Are Still Susceptible to Social Engineering Techniques\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nKent Sagara, Audit Manager\nMidori Ohno, Lead Auditor\nAlan Beber, Senior Auditor\nBret Hunter, Senior Auditor\nLouis Lee, Senior Auditor\nWilliam Lessa, Senior Auditor\nAbraham Millado, Senior Auditor\nStasha Smith, Senior Auditor\nCharles Ekholm, Auditor\n\n\n\n\n                                                                                         Page 6\n\x0c                While Progress Has Been Made, Managers and Employees\n                 Are Still Susceptible to Social Engineering Techniques\n\n                                                                          Appendix III\n\n\n                                Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Information Officer OS:CIO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief, Mission Assurance and Security Services OS:MA\n       Chief Information Officer OS:CIO\n\n\n\n\n                                                                               Page 7\n\x0cWhile Progress Has Been Made, Managers and Employees\n Are Still Susceptible to Social Engineering Techniques\n\n                                                          Appendix IV\n\n\n    Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                               Page 8\n\x0cWhile Progress Has Been Made, Managers and Employees\n Are Still Susceptible to Social Engineering Techniques\n\n\n\n\n                                                          Page 9\n\x0c'